Crouching Yeti

Crouching Yeti: got caught anyway

Security researchers uncovered yet another long-standing APT campaign aimed at exfiltration of important data from the organizations associated with strategic industrial sectors. Once again, businesses involved in these areas are

Yuri Ilyin
August 1, 2014

Security researchers uncovered yet another long-standing APT campaign aimed at exfiltration of important data from the organizations associated with strategic industrial sectors. Once again, businesses involved in these areas are threatened by a host of malware and are at risk of losing sensitive data. This campaign received not just one name, but two: Energetic Bear and/or Crouching Yeti.

Years ago once-famous game developer/publisher, Sierra, released a great series of fantasy adventure and role-playing games titled “Quest for Glory”. A main character could choose from three classes, such as “fighter”, “wizard” or “thief”, and a set of appropriate skills. If a skill, such as stealth, was lacking completely, all attempts to switch your character to “stealthy” mode returned with a message: “You are as stealthy as an average Goon”.

Yes, in these games Goons were green-skinned, bulky, and rather dumb creatures, not unlike Warhammer orcs.

Goons. A screenshot from Quest for Glory IV: Shadows of Darkness PC game.

So, when I saw the “Crouching Yeti” title, that “as an average Goon” message was the first thing to come to mind. Unfortunately, it’s not about a funny message in a PC game; but instead, this is the title Kaspersky Lab has given to a new APT campaign.

Yeti isn’t quite a stealthy thing… Unless it’s an APT
Tweet

Apparently, it’s still all about stealth – or, rather, stealing. It is a trend now—to launch a large cybercampaign in order to fish out (or phish vigorously) information from the structures related to a multitude of strategic industries. That is exactly what “Energetic Bear/Crouching Yeti” does. The focuses are: industrial and machinery sectors, manufacturing, pharmaceutical and construction companies, education facilities and, of course, organizations related to information technology. Most of the victims are working in industrial/machinery building sectors. Apparently the Bear/Yeti has something of a special interest there.

Bear caught yet another fish. A screenshot from World of Warcraft PC game.

Of course, there are not one, but two names: Energetic Bear and Crouching Yeti. The first is given by our colleagues from CrowdStrike, who believe that this campaign has Russian origin, and that its main target is the energy sector. Our experts, however, do not confirm this. The origin is still kind of a mystery (thus – the “Yeti”: somewhat bearlike, but much more mysterious) and, as shown above, the attackers’ interest is far from being limited to the energy industry.

The campaign has been around since at least 2010, and so far we have seen about 2800 victims worldwide.

A Giant Yeti. Bulky and frightening (A screenshot from World of Warcraft PC game).

Victims are either peppered with spearphishing PDF docs with embedded flash exploit (CVE-2011-0611, quite old, as one may see), or served with Trojanized software installers; then there are waterhole attacks using a variety of re-used exploits.

Attackers have a handful of specific Trojans ready. These only infect Windows systems and may include Havex (the most often detected one), Sysmain Trojans, also the ClientX backdoor, Karagany backdoor and related stealers, etc.

What’s more unsettling about this, is that the dozens of known Yeti exploit sites and their known referrer sites were compromised legitimate ones. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.

Reused exploits, no zero-days, and still – good efficacy.
Tweet

In other words, there is little originality and little subtleness in the attackers’ activities, although they are methodical and their approach is reported to be “managed” and “minimal”. They use a stable (unchanging) toolset and appropriately employ encryption – symmetric keys protected with attacker’s public key for encrypted log file exfiltration.

Unfortunately, they had managed to be “crouching” for almost four years undetected.

Good news: Kaspersky Lab solutions detect and skull-bash all of the malware the attackers behind Crouching Yeti use. This time they are just not subtle enough.